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Editorial 



Dear Readers, 

We here at The Hacker News were very 
humbled to be given the opportunity to celebrate a 10 million 
total hits to the website. Wow! We are so very grateful for 
your support and as I told you last month, I don't think Hack 
ing is going anywhere and neither are we!! 



Your feedback is very important to us. Feel free to send us 
your thoughts and desires for Hacking news. If you want to 
write an editorial, let us know. We'd love to include it next 
month. For now, we will see you in our daily and best wishes 
for a great month. 



Mohit Kumar, 

Founder - The Hacker News 
www.thehackernews.com 



Team Members 

Patti Galle 
Priyanshu Sahay 
Kislay Bhardwaj 






LINUX 

means freedown 




Linux is a computer operating system which is based on free and open source 
software. Although many different varieties of Linux exist, all are Unix-like and 
based on the Linux kernel, an operating system kernel first released October 5, 
1991 by Linus Torvalds. Linux is an operating system for your computer. Like 
the Mac and Windows systems, it provides the basic computer services 
needed for someone to do things with a computer. It is the middle layer be- 
tween the computer hardware and the software applications you run. Linux 
was developed by Linus Torvalds and a band of programmers who voluntarily 
developed the core program of the system (aka, the kernel). 

Linux History Timeline: 

April 1991: From his dorm room at the University of Helsinki, college student 
Linus Torvalds begins working on his own operating system kernel, mostly just 
to see if he could do it. As he was doing his early development in a Unix clone 
called Minix, he posted a note to a Minix newsgroup that said, "I'm doing a 
(free) operating system (just a hobby, won't be big and professional like gnu) 
for 386(486) AT clones." Torvalds was wrong in his assessment of his creation's 
potential. 
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Just over a year after Torvalds began working on his pet project, the 
first comprehensive distribution of Linux, Softlanding Linux System, shipped to 
users. SLS stood out for its incorporation of TCP/IP and X Windows. 

Slackware Linux, developed by Patrick Volkerding, launches as the 
first commercial Linux distribution. It is currently the oldest Linux distribution 
still underdevelopment. 

Linus Torvalds releases Linux 1.0, consisting of 176,250 lines of 

code. 

95: Linux gets its own trade conference, Linux Expo, created by Donnie 
Barnes at North Carolina State University. Barnes went on to work for Red Hat, 
which later took over the expo. 

November 1998: In the midst of a federal antitrust lawsuit, Microsoft lawyers 
present a box of Red Hat Linux as evidence that Windows did not represent a 
monopoly on the OS market. 

VA Systems launches SourceForge, which becomes a leading 
repository of open source projects for Linux and other platforms. 

Canonical releases Ubuntu 4.1, aka "Warty Warthog," which 
raised the bar for community-developed Linux distributions with a six-month 
release cycle and a focus on user experience. 

January 2007: Several leading mobile technology companies, including Mo- 
torola, NEC, Samsung, NTT DoCoMo, Panasonic, and Vodafone form the LiMo 
Foundation to collaborate on Linux-based smartphones. This represents a 
major shift in the direction of Linux devices, and presages the arrival of Google 
Android. 

7: The Open Handset Alliance, which includes Google, Intel, 
Sony, HTC, Motorola, and 78 other companies, announces its presence with a 
preview of Android. One week later, the OHA released a SDK to developers. 
October 2008: The first commercial Android phone, the T-Mobile Gl, ships to 
consumers, marking the emergence of Linux onto mainstream consumer com- 
puting devices. On mobile phones, Android has gone on to compete mightily 
with Apple's iOS, putting Linux squarely in the forefront of today's hottest plat- 
form war. 
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We have collected some really interesting facts about the Linux kernel. So if 
you are a Linux fan - Read on: 

A 21 year-old Finnish college student created the Linux kernel as a hobby. 
(Do you know him?) 

2. An asteroid was named after the creator of the Linux kernel. 

Thousands of developers/programmers scattered all around the world are 
continuously contributing to the development of the Linux kernel. 
4. The Linux kernel's official mascot is a penguin named Tux. 

According to a study funded by the European Union, the estimated cost to 
redevelop the most recent kernel versions would be at $1.14 billion USD. 

As of today, only 2% of the Linux kernel has been written by Linus Torvalds. 

The Linux kernel is written in the version of the C programming language. 
8. Linux is now one of the most widely ported operating system kernels, run- 
ning on a diverse range of systems from handheld computers to mainframe 
servers. 

Linux kernel 1.0.0 was released with 176,250 lines of code. The latest Linux 
kernel has over 10 million lines of code. 

Microsoft Windows and the Linux kernel can run simultaneously in parallel 
on the same machine using a software called Cooperative Linux (coLinux). 

At first, Torvalds wanted to call the kernel he developed Freax (a combina- 
tion of "free", "freak", and the letter X to indicate that it is a Unix-like system), 
but his friend Ari Lemmke, who administered the FTP server where the kernel 
was first hosted for downloading, named Torvalds' directory linux. 

A guy name William Delia Croce, Jr. trademarked the name Linux and even- 
tually demanded royalties for its use. He later agreed to assign the trademark 
to Torvalds. 

The Linux kernel can be found on more than 87% of systems on the world's 
Top 500 supercomputers. 

A "vanilla kernel" is not an ice cream flavor but an unmodified version of 
the Linux kernel. 

The Linux Kernel is not in any way related to the army rank called 'Colonel'. 



Source: http://goo.gl/KfwpQ 
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How to Make My Linux Server Secure ? 

A Linux server can be more secure and powerful than a Windows server, but 
you cannot forget even the smallest detail or you can be left totally unsecure. 
Security professionals make it harder for hackers or attackers, if they use an 
unpatched Linux server. An administrator should implement the good security 
against hackers (crackers). There is a different level of security required for 
web application security when used with SQL-Injection, XSS. 

Application security, however, is not the main point of this article; we are going 
to limit our discussion to Linux server security. 



Strong Passwords Should Be Used 

We know the importance of using 
passwords to protect against pass- 
word based attacks like brute 
force, dictionary attack and many 
more. So, you should always use a 
strong password combination of 
lower case upper alphabet, num- 
bers and special characters; don't 
use birth date, car license number, 
or your name as a password. One 
trick you can use is to substitute '4' 
in place of 'A', '3' in place of 'E', '5' 
in place of 'S', and so on. 

Use Cryptography 

Cryptography is the art of secure 
communication. All the data that 
goes through network may be 
sniffed, so use encryption tech- 
niques to secure your data. You 
can use lightweight SSL VPN; or 
use SCP, SSH, RSYNC, or SFTP for 
file transfer. 
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Avoid Remote Logins If Possible 

As we know, data that travels network to network might be captured by at 
tacker. Services like FTP, Telnet, and different FTP's may be compromised. So, if 
possible, avoid using these services from a remote location. If you cannot 
using these services, then use SSL or FTPS. 



Patched Management 

There are many free opportunities available on the market for different soft 
ware and services. So, the system administrator has to be sure to follow the 
proper patch management strategy to keep your Linux kernel updated when 
ever a new patch is released. And, all software and services which are running 
on that server should be up to date to maintain the security of your Linux 
server. 

Use Intrusion Detection Systems or Intrusion prevention Systems 

Firewalls have limitations. So, if possible, use intrusion detection systems (IDS) 
or intrusion detection systems (IPS). You must configure both network IDS 
(NIDS) and host IDS (HIDS) to protect the attacks like DOS, port scanning, MAC 
scanning, buffer over flow attack etc. 

Linux Security Extensions 

Securing the Linux kernel is the key to secure the Linux server. There are vari- 
ous security packages available to provide the additional security to Linux 
kernel. Try to use software like SELinux, AppArmor or GRSecurity. 

Use Log Management 

Use a strong log management policy to keep an eye on the each change and 
error. Besides the Linux built-in log management files, there are different soft- 
ware packages available for auditing and log management. 

This article will provide the user or administrator with the basic knowledge 
needed to improve the security of a Linux server. Basic system security (e.g., 
having a regular backup strategy, using strong and un-guessable passwords, 
and removing unnecessary services running on server) is essential administra- 
tion required to secure your data. 
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This provides basic security against hacker or crackers. You need to study and 
try to learn security as much as possible and keep your eye on latest attack "0" 
day, new or renewed attempted attacks. Use your device services properly 
(i.e., firewall, IDS, and IPS). Misconfiguration by the administrator is the main 
reason servers become vulnerable to attack. Some of the tools mentioned 
below can be used for network monitoring, port scanning, and vulnerability 
scanning, etc. All of these tools are freeware available under General Public Li- 
cense. Download these tools only from trusted sites. 

Network Monitoring 

NSAT: Network Security Analysis Tool 
SniffDet: Remote Sniffer Detection Tool/Library 
Tcpdump: Network debugging tool 




Network Traffic Analyzer 

Dsniff: Collection of tools for network auditing and penetration testing 
Wireshark: Network protocol analyzer 

Portscanner 

Angry IP Scanner: Fast and friendly network scanner 
Vulnerability Scanner 

Nessus: Comprehensive vulnerability scanning software 
Log File Analyzers 

AWStats : Advanced web, streaming, ftp or mail server statistics, graphically 
Tcptrace: Analyze TCP dump files 

Password Management 

KeePassX: Lightweight and easy-to-use password manager 
OpenVPN: Full-featured SSL VPN solution 



Submitted by : Jatin Jain ( INFORMATION SECURITY CONSULTANT ) 

Contact : jatinjain23@yahoo.com 
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September should be officially declared as the "Hackers' month/ 7 And why 
shouldn't it be? Going by the number of hackathons organized within this one 
month, it wouldn't be surprising if this does happen. 

Hackathon is an event that spans over a few days allowing the developer com- 
munity to converge and create software and applications bottom-up. The de- 
sired end goal may be pre-defined or may be left to the developer's discretion. 

Inception: It all started in 1999 with OpenBSD and SUN using the term "Hacka- 
thon" independently, although, for different reasons. OpenBSD's emphasis 
was on cryptographic development while SUN wanted to build java programs 
for a personal digital assistant. Ever since, Open BSD has organized this event 
at least once a year primarily for faster development of OpenBSD. Attendees 
have come by invitation only unlike SUN's "JavaOne Conference" which is open 
to all developers. The model followed by SUN is now commonplace among 
other organizers. 

Over time, the number of Hackathons has increased considerably. One can get 
a good idea about this simply by Googling the term. You'll notice how every 
other company these days is using this idea to organize one of its own. After 
all, it benefits all parties involved in more ways than one. 

Hackathons this year: Facebook was among the first ones to announce the 
"2011 Hackers Cup" in December last year, way ahead of others. In this annual 
programming competition, engineers worldwide participated in a multi-round 
contest and solved algorithmic-based problems. They proceeded forward 
based on the accuracy and speed of their solution. 
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Foursquare, the location based company, hosted its very first global Hackathon 
on September 17-18, 2011. In the case of both these companies, winners got 
monetary rewards as well as opportunities to meet the big-wigs in the IT and 
business industry. 

TechCrunch organized its annual Disrupt Hackathon. A number of sponsors 
also offered high value rewards to the winners. Building apps for the various 
sponsors like Ford, Bridgewater, and others was the objective of the event. It 
was conceived targeting the growing smartphone footprint and the exploding 
apps industry. 

And, this was just the tip of the ice-berg. In the last week of September 2011r, 
RIM announced October 6-7, 2011 as the date for its annual "BBM Apps 
Hackathons" in Toronto, Canada. The purpose of this event is to help applica- 
tion developers' work with the BlackBerry Messenger social platform, which 
was announced last September at its annual developer conference. Nokia 
didn't stay behind either. The N9 Hackathon is being held in Vienna in October 
7-8, 2011. No prizes for guessing that the focus will be on building apps for the 
Nokia N9. 

HP drew on the entire developer community to garner support for its "Hacking 
Autism" event on October 11, 2011 for humanitarian purposes. Apps built 
during this event will be available for free to help autistic children. 

And then there is the India Hackathon in Mumbai on November 19-20, 2011 
where the theme is "Language, Mobile & Offline". Organized for the very first 
time, it is expected to attract a lot of talent from the Asian subcontinent. 

Who benefits: It is interesting to observe that most of these events turn out to 
be a success. What was initially started by hobbyist programmers as a medium 
to get together and meet like-minded people, has today turned into a mega, 
hundreds of thousands of dollars worthy affair. 



However, in my opinion, everyone stands to gain from this wide acceptance. 
Companies realize the importance of this platform to attract major talent and 
get some incredible work done in a relatively short period of time. After all, 
they own every app and software created during the event. 
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Developers gather in a "small-scale war-room", and get to be among the first 
ones to play with the APIs of some new features offered by companies, some 
of them yet to be released to the outside world. These APIs are either kept 
relatively open or are allowed to be hacked by the developers, adding to the 
existing challenges of the sleep-deprived engineers. 

It is the experience, nonetheless, which is considered invaluable. For several 
attendees, their first Hackathon was nothing short of a life turning event. They 
got to meet their idols in person, may have even collaborated with them, and 
participated in a thrilling, mind-numbing experience. The event itself elevated 
their spirits and gave a new meaning to their identity. The preparation as such 
takes several months of efforts. Like any other marathon, it takes considerable 
preparation work including team building, planning, and executing. Despite all 
the hard work, the day of the competition, is unlike any other day. Participants 
choose to work non-stop or take turns, regularly feeding themselves on Red- 
bull, beer, pizza slices and caffeine. The key to winning is to keep ones' cool and 
constantly focus on reaching the finish line. After all, a lot can be at stake. Sub- 
stantial prize money, which can go up to thousands of dollars, once in a life- 
time prospect of working on the next big thing in the industry, invitations to 
major industry conferences - all expense paid, and a huge opportunity to g 
into the heads of technologists and business people. And not to forget, the 
pride gained after winning a prestigious competition, something that stays for- 
ever. 



About Author: Nidhi Rastogi is a Cybersecurity professional based in New York. 
She has over 7 years of experience in a variety of roles including wireless secu- 
rity, mobile devices, and application development at companies like Verizon 
Wireless, GE Energy, and LTI. Nidhi is a graduate of University of Cincinnati and 
can be contacted at nidhi.gupta@gmail.com 
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Insider Threats vs. Hackers 



News about cyber security, Anonymous, and Lulzsec are constantly making 
headlines these days, as well they should. It seems that Anonymous is hacking 
into confidential information on an almost weekly basis. Yet, despite this talk 
of external risks, the real threat to businesses often comes from within, in the 
form of insider threats. 

Although the intent of a hacker is generally more insidious, the insider threat 
is more prevalent simply due to an employee's access to company data. Insid- 
ers often have access to sensitive data without having to circumvent security 
measures designed to keep out external threats. 

But which is really a bigger threat to your organization? A malicious hacker or 
a disgruntled employee with access to the company's confidential data? 
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A recent survey, "2011 CyberSecurity Watch Survey" found that, although 
there are more instances of cyber threats, their overall cost is less than that of 
an insider caused data breach. The survey concluded that "more attacks (58%) 
are caused by outsiders (those without authorized access to network systems 
and data) versus 21% of attacks caused by insiders (employees or contractors 
with authorized access)... however 33% view the insider attacks to be more 
costly" 

Essentially, although external threats such as hackers may be more frequent, 
their effect is generally less substantial and costly than that of an insider 
threat. A recent example of this occurred in May when an executive at Boston 
Bank and Trust Co. resigned and absconded with proprietary bank informa- 
tion, taking trade secrets with him to his new employer, First Republic Bank. 

The fact of the matter is that companies need to be concerned with BOTH ex- 
ternal cyber attacks as well as the threat posed by insiders who have access to 
their sensitive data. One method of tackling these threats is through the use 
of Data Loss Prevention (DLP) software. DLP generally refers to systems that 
identify, monitor, and protect data in use, data in motion, and data at rest. 

DLP software utilizing auditing systems and endpoint security are available in a 
wide range of configurations and prices. From simple USB device control to 
full system control, the choice will depend on budget and needs. 

The use of DLP and endpoint security allows administrators to manage who 
and what can access their network and data while an auditing system will keep 
an audit log of which files are accessed or downloaded. In addition to end- 
point security, some vendors offer remote management capabilities for mobile 
devices. If you have a rogue or lost flash drive, smartphone or tablet, you can 
remotely erase it, negating any possible data breach. 

Be sure to investigate the options out there. 

About the author: Emmett Jorgensen has worked in IT and Infosec for over 10 
years. He works for Kanguru Solutions (www.kanguru.com), a manufacturer of 
secure portable storage solutions. Kanguru specializes in FIPS Validated, en- 
crypted flash drives, remote management and USB device control. 
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1.) Find biggest files / directories: Sometime it is necessary to find out what 
file(s) or directories is eating up all disk space. Further it may be necessary to 
find out it at particular location such as /tmp or /var or /home etc. 



STEP #1 - Use the "du" command with these options 



du -a /var | sort -n -r | head -n 10 



Where: 

-a : Include all files, not just directories (du command) 

-h : Human readable format 

-n : Numeric sort (sort command) 

— r : Reverse the result of comparisons (sort command) 

-n 10 : Display 10 largest file. If you want 20 largest file replace 10 with 20. 

2.) Execute Command in SSH without opening Shell: Generally whenever we 
intend to run some command on remote machine, we first do a ssh and then 
type the command to be executed. Here is a very small "trick" to be smarter. 
Lets say you want to run "top" command on the machine x.x.x.x using SSH. 
First find out the path of the top command using - whereis top 
Second, once you get the path. Now just type this 



ssh -X user@x.x.x.x /path/to/the/command 
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3.) Change MTU size: On gigabit networks, large maximum transmission units 
(MTU) sizes (JumboFrames) can provide better network performance for our 
HPC environment. If you want to transfer large amounts of data at gigabit 
speeds, increasing the default MTU size. Can provide significant performance 
gains 

STEP #1 - Change MTU size with "ifconfig" command : 



fconfig ethO mtu 9000 up 



STEP #2 -To make this MTU size permanent. Put it under the interface configu- 
ration file i.e. /etc/sysconfig/network-scripts/ifcfg-ethO. 



vi /etc/sysconfig/network-scripts/ifcfg-ethO 
add... 

MTU="9000" 



STEP #3 - Remember to restart the network service: service network restart 

3.) Collaborate Screens: Suppose you want to show your your friend how to 
solve a problem, but you are on a remote location. Solution is to share the col- 
laborate the screen. 

STEP #1 Should have "screen" package installed on machines, using yum or 
rpm, then : ssh yourusername@remote-machine 

STEP #2 Once you are there run: 



screen -S anyname 



STEP #3 Then tell your friend to run this command: 



screen -x anyname 



This will make your and your friend's sessions joined together in the Linux 
shell. The benefit is that your friend can watch your troubleshooting skills and 
see exactly how you solve problems. The one caveat to this trick is that you 
both need to be logged in as the same user. To detach from it and leave it open, 
type: Ctrl-A+D. You can then reattach by running the screen -x anyname com- 
mand again. 
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5.) How to crack weak passwords in your server using JOHN-THE-RIPPER 

STEP #1 - Install "John-the-ripper" from the link given below and install using 
rpm : http://dag.wieers.com/rpm/packages/john/ 



STEP #2 - Use "unshadow" command to combine /etc/passwd and 
/etc/shadow files, so that john-the-ripper can use it 



/usr/bin/unshadow /etc/passwd /etc/shadow > /tmp/myfile.db 



this command combines /etc/passwd and /etc/shadow file to be used. 

STEP #3 - Use "john-the-ripper" to see the cracked passwors: john -show 
/tmp/myfile.db 



ul:abcl23:505:505::/home/ul:/bin/bash 
u2:didil23:506:506::/home/u2:/bin/bash 



shows user ul has a password of abcl23 and u2 has a password of didil23 

6.) Check login activity: Important issue for administrator. How to check the 
login activity? 

CASE #1 - Checking "PHYSICAL" login activity. Use these commands 



last (for checking successful login attempts) 
lastb (for checking un-successful login attempts) 




CASE #2 - Checking the REMOTE login activity. 



cat /var/log/secure* | grep -i accepted --color 



* is to read from the backup logs also omit if you don't want to see those. 
This will show ALL successful remote login attempts. 



cat /var/log/secure | grep -i sshd --color 



This will show all successful remote login attempts using SSH. 

Submitted by : Alok Srivastava, is the founder member of Network NUTS. He 

hold MCP, MCSE, MCSA, MCDBA, MCT, CCNA, CCNP, RHCE & RHCSS certifica- 
tions. Probably, he is the most experienced trainer in India. He is also an active 
blogger and likes to share his knowledge with everyone; you can read his posts 
under forum section of www.networknuts.net . Under his leadership and 
technical guidance Network NUTS is #1 in Asia Pacific for the redhat exam pass 
percentage. 
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WINDOWS 8 

5^ Touch the Futur 




Windows 8, which was fully unveiled at the Windows Build Conference 
in Anaheim, California, is here, and it looks much, much different from 
Windows 7. Sure, it has the start-bar-and-icon "Desktop" look that Win- 
dows users are familiar with, but it also has a new, touch screen- 
optimized interface called 'Metro,' which looks more like the Windows 
Phone operating system and which looks like the future of Microsoft 
Windows from here on out. 

Some important Key features of Windows 8 : 

1. Support for both x86 PCs and ARM tablets: Windows 8 is the first edi- 
tion of Windows to operate on both ARM -based tablets and traditional 
x86 PCs based on ARM processors from Intel and AMD. 

2. Boot in less than 20 seconds: Microsoft developed a new "Hybrid Boot 
Mode" which drastically reduces boot time to less than 20 
seconds."Hybrid Boot Mode" is a combination of "Log Off and "Hiber- 
nate"- which means, when a user clicks on shutdown, it closes all appli- 
cations and log off then goes to hibernate mode. 

3. Windows Store: This is the name of the app store of Microsoft. It 
allows you to browse through categories, making app purchases, rate 
apps, download trails and so on. 
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4. Automatic Maintenance: Microsoft Windows 8 comes with a new fea- 
ture "Automatic Maintenance" which automatically defrag your hard 
disks, runs the .Net optimization services and checks for solutions to 
problems. This feature drastically improves the performance of your 
system. 

5. Touch-centric, Tiles-based User Interface (UI): Microsoft is actually 
layering a new animation-enabled user interface (UI) on top of an only 
somewhat upgraded Windows 7. The [Metro] apps are full-screen. 
They're beautiful. They're designed for touch, but of course, they work 
great with a mouse and keyboard as well if that's what you have. 

6. Snap Multi-tasking: 'Snap multitasking" is designed to make it easy to 
run two apps in Windows 8 side-by-side, to resize them, and to switch 
between them. On the right-hand side of the screen, you can snap an app 
into place. 

7. Built-in antivirus protection: In a move that is likely to anger the anti- 
virus industry, Microsoft is adding security features from its Security Es- 
sentials program to Windows 8. 

8. Built-in Hyper- V: The client version of Windows 8 will include virtual 
machine capability - Hyper-V technology that previously was only in- 
cluded in the Server editions of Windows and now will be part Windows 
8 client. Hyper-V is an important piece of technology that makes pos- 
sible virtualization, allowing users to run more than one operating 
system, either 32-bit or 64-bit, at the same time on the same computer. 

9. Secure Boot: Windows 8 is going to screw Linux by preventing Linux 
dual boots and installs. Unified Extensible Firmware Interface (UEFI) 
firmware specifications would mean PCs would only boot from a digi- 
tally signed image derived from a keychain rooted in keys built into the 
PC. Microsoft is pushing to make this mandatory in a move that could 
not be overridden by users 



The result is a slick OS that's as fast as iOS and Mac OS X Lion. Most 
people will be surprised by how quickly Windows 8 starts up or runs 
apps. We certainly were surprised. 
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The Security Model of 'Windows 8 Server' £ 
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i it comes to the Microsoft open 



When it comes to the Microsoft operating system line, you are always 
going to get some good and some bad. Lately it seems that with their 
latest releases the good has been outweighing the bad by a lot. The Win- 
dows 8 operating system preview has been garnishing rave reviews from 
the tech press. They like the way that it features a new secure way of 
computing. They also like the fact that it has been optimized for both 
normal PC's and tablets at the same time. There is going to come a time 
when these two worlds will be one and with Windows 8 you are already 
almost there. 



But with all of this talk of Windows 8 for consumers there is another ver- 
sion of the operating system that is being forgotten. It only makes sense 
since this version of the operating system works behind the scenes and 
only a few members of the public will ever work with it. The version of 
Windows 8 that I am talking about is the Windows 8 server version. The 
Windows 8 server version is promising a lot of surprises under its hood, 
especially when it comes to security. 
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And that is what we are going to talk about in this article. It is a good 
thing that Microsoft has decided to make so many improvements to its 
server model. They are really falling behind to some of the other open 
source options such as Apache and Nginx which are very popular on the 
open market. 

The Windows 8 server 

There are some people who are reading this article that might not know 
what a server is. This is not a hard thing to describe. A server is the soft- 
ware that allows you to serve web pages to visitors on the web. When you 
type a name in the address bar you are being redirected to a server. Web 
pages are not the only thing that a server can bring to your computer. 
You can also receive video, images, and a bunch of different digital items 
from a server. So now that you know what a server is, let's talk about the 
Windows 8 server security model. 

First of all, you still have a lot of the old security protections when it 
comes to Windows 8 server. If you were used to using that old paradigm 
you will not be left in the dark with the new version. The only changes 
here are the additions to some of your old favorites. 

The main feature that is being touted by Microsoft when it comes to the 
Windows 8 server edition is also probably the one that will keep you 
most secure as well. This feature is the new and improved virtual ma- 
chine set up of the operating system. Microsoft is hoping that more and 
more IT admins will get into making their set up more of a virtual struc- 
ture. This will provide the ability to make it easier to jettison any part of 
the server that is not working. 

Virtual machine technology has come a long way in the last couple of 
years and recently it has been Microsoft that has been leading the 
charge. Not only do they have their own virtual software for you to use 
on the server, but they have also made it easier to use their competitor's 
products as well. If you do not know, virtual machine technology allows 
you to run separate operating systems over top of the main operating 
system that you are running. 
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Being able to run servers in 
these separate operating sys- 
tems allows you to easier con- 
trol multiple web sites that 
might be hosted on one server. 
This means that is you have a 
web site that needs very high 
security then you can easily 
place it in a virtual instance 
and adjust it to whatever your 
needs are. This allows to place 
each web site security needs in 
line with one another. 

Another piece of the new operating system that has to do with security is 
the way that management is run on the new machines. It is set up so that 
you can easily watch multiple virtual instances as well as actual machine 
instances at one time. In the past it was difficult to set something like 
this up. Now with Windows 8 server that is no longer the case. Being 
able to monitor your system easily is the first step in making sure that it 
is secure. 




There are many more additions to the new Windows 8 server line that 
will help you with security. We have just decided to highlight the two 
biggest changes that will help you. 
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Microsoft Security 
Development 
Lifecycle 

With the growth of internet and tech- 
nology, the biggest challenge for the IT 1 
industry today is to develop a secure 
software application. Until recently, se- 
curity was just an afterthought for the 
developers as the focus typically was on 
functionality; implementing security 
was only at the end of development 
phase, which has been proven disas- 
trous and are more prone to security at- 
tacks. 

In response to this growing need, Mi- 
crosoft has implemented a stringent 
Security Development Lifecycle (SDL) which is a holistic approach to 
integrate security and privacy into the software development lifecycle. 
It is not a case where we have separate development and SDL process, 
SDL is integrated with the regular Software Development Lifecycle. 
Implementing a secure development life cycle has proven to enhance 
the security of the product as having only network security in place is no 
longer sufficient to secure an application. Security needs to be a part of 
the entire development process. 

Microsoft SDL Overview 

In the past several years, several security process models have emerged which 
aim to mitigate the process weaknesses and are frequently the culprits behind 
security breaches. 

The Microsoft SDL is a security assurance process which is focused on soft- 
ware development and offers one of the most comprehensive and well- 
designed SDLCs in the industry. It was created as a result of numerous high 
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priority security breaches involving Microsoft technologies prompting 
this IT giant to develop SDL in 2002, which has been a mandatory pro- 
cess at Microsoft since 2004. 

Microsoft defined a comprehensive SD3+C process C (Secure by Design, 
Secure by Default, Secure in Deployment, and Communications) to de- 
termine where the security and privacy efforts would be required. The 
identified principles for SD3+C are: 

Secure by Design 

□ Secure architecture, design, and structure: Detailed designs and ar- 
chitecture should be reviewed for possible security issues and mitiga- 
tions should be identified for all threats. 

□ Threat modeling and mitigation: Threat modeling should be carried 
out in design phase 

□ Elimination of vulnerabilities: Code review which includes the use of 
analysis and testing tools should be carried out to eliminate vulnerabili- 
ties. 

□ Improvements in security: A secure alternatives consistent with in- 
dustry standards should be provided. 

Secure by Default 

□ Least privilege: Ensure that all components run with the least pos- 
sible permissions. 

□ Conservative default settings: Minimize the attack surface in default 
configurations. 

□ Less commonly used services off by default: Ensure that features 
which are not often used are not activated by default. 

Secure in Deployment 

□ Deployment guides: Outline the secure deployment guideline. 

□ Analysis and management tools: Tools which enable administrators 
to configure and determine the optimal security level for a software re- 
lease should to be provided. 

□ Patch deployment tools: Tools which aid in patch deployment should 
be provided. 
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Communications 

□ Security response: Ensure that the team responds promptly to the 
identified security issues. 

□ Community engagement: Team proactively engages in community 
discussions on security updates, vulnerabilities and future milestones. 
Secure software development process model was developed by adding 
SD3+C concept to all elements of development process. SDL combines 
both holistic and practical approach to implement security and privacy 
in all the phases throughout the development process and has been 
Microsoft's foundation of security guidance for all internal develop- 
ment. 

Microsoft SDL can support variety of languages, different software de- 
velopment platforms like Waterfall, spiral or Agile and also operating 
systems agnostic. 

SDL Process 

Microsoft SDL Process is a set of mandatory security activities which are 
grouped by the traditional software development life cycle (SDLC) 
phases. These security activities should be a repetitive process in order 
to gain a greater security, however some of the activities can also be 
implemented on a standalone basis. SDL Security activities are divided 
into seven phases as shown below: 
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In Order to build any secure application, the development team should 
be aware and be able to analyze the product having threats in mind and 
should be aware of tools and techniques to mitigate them. Therefore 
educating the developers becomes critical. 

Hence As part of the SDL, Microsoft offers a continuous formal security 
training program to the product development team to develop and 
refine security information. 
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The courses covered as part of this phase are 

□ Intro to the SDL 

□ Security Design 

□ Security Coding 

□ Security Testing 

□ Security Bugs in Detail - Vulnerabilities and Exploits 

□ Security Response 

□ Privacy 

Microsoft believes that just formal training serves only a small portion 
of the effort that is required to build secure Application. A 70-20-10 de- 
livery model approach is followed, which says 70% of your learning 
comes from on-the-job training/learning-by-doing, 20% from self- 
study, and only 10% from formal trainings. 

Phase One: Requirements 

The fundamental aspect of secure application development is to con- 
sider security and privacy "Up front". Security requirements should be 
defined in the initial planning phase. This gives an opportunity to con- 
sider how security would be integrated into the development process 
and also identify key security objectives, milestones and deliverables 
During this phase bug bars and quality gates which apply to the entire 
software development project should be used to define the severity 
thresholds of security issues. 

Defining these criteria at an early phase improves the understanding of 
risks associated with security issues enabling to identify and fix the issue 
during development phase. A security risk assessment (SRA) and pri- 
vacy risk assessments (PRA) should be a mandatory exercise in order to 
identify the functional aspects of the application which may require 
deep security review. 

Phase Two: Design 

Functional design specifications should describe the security and pri- 
vacy features exposed to users, such as user authentication to access 
specific sensitive data and in addition also describe how the functional- 
ity would be implemented securely. 
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It is important for the team to understand the difference between "secu- 
rity features" and "secure features". Secure features are features whose 
functionality is engineered in terms of security and validated thor- 
oughly, where as a security feature in fact could be insecure. 

The best approach to influence the security design of a product is to 
make use of threat modeling tool. It is a practice which allows to iden- 
tify, mitigate and document the application threats. 

Phase Three: Implementation 

This is the phase where development best practices are established to 
identify and mitigate the security issues as early in development cycle. A 
number of tools and process are available in order to accomplish this 
goal. The development team should enforce and mandate best practices 
identified in requirement phase and follow them throughout the devel- 
opment cycle. 

A list approved tools along with their associated security checks; depre- 
cated APIs which are determined to be unsafe should be defined. 

Static source code analysis should be performed to provide a scalable ca- 
pability for security code review to ensure that secure coding best poli- 
cies are followed. Microsoft relies heavily on code analysis tool to iden- 
tify security issues, although security code review should be a combina- 
tion of both automated tool and manual code review. Investing time and 
effort at an early stage will help you eliminate the security issues and 
avoid having to respond to defects at a later phase. 

Phase Four: Verification 

Functionality of the application should be verified to ensure that it 
works as designed. Tools that monitor application behavior for issues 
such as memory Leakage, user privilege, and other critical security 
problems should be used. Microsoft SDL process suggests using run- 
time tools like App Verifier, along with other techniques such as fuzz 
testing, a dynamic form of analysis used to induce random data or pro- 
gram failure into the application and observe how the application will 
consume this data to achieve desired levels of security. 
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Microsoft suggests security testing to ensure that the application meets 
the security and privacy established during the previous phases are met. 

Phase Five: Release 

Before the application is ready for release Microsoft suggests carrying a 
plan of action for vulnerabilities to be discovered in your application re- 
lease. A final security and privacy review which is a deliberate examina- 
tion of all security activities should be performed prior to the application 
release. 



Post-SDL Requirement: Response 

As part of post release phase the development team must be available to 
respond to the security issues found after the release of the application. 
Post SDL activities like response and maintenance could be most expen- 
sive part of software lifecycle. There are two parts to this phase, one in 
responding to the security defects and another is to learn from previous 
mistakes. 
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Microsoft SDL recommends certain security tools as part of the develop- 
ment phase which is freely available for download and use, and supports 
a variety of languages, platforms, and development methodologies. It is 
important to understand which tools are appropriate for various differ- 
ent phases of the development lifecycle. 

Figure 2 above helps to identify how each of these tools fits into the SDL 
Security Development Lifecycle templates are available to ease the 
implementation of Security Development Lifecycle. 

Process Templates: 

Microsoft suggests making use of the SDL Process Template for VSTS to 
integrate policy, process and tools automatically into all phases of devel- 
opment for projects which adhere to spiral or waterfall development 
methodology. MSF Agile SDL process templates are similar to SDL Pro- 
cess Template but are suitable for Agile development methodology. 

Design Phase: 

Threat modeling tool is the best approach to influence the security 
design of the product. Microsoft threat modeling process of identifies 
threats to business which is inherited by the software application that is 
built, at a very early stage of SDLC. Security subject matter expertise is 
not required in order to create a feature rich threat model. 

Implementations Phase: 

A number of security tools are leveraged during implementation phase, 
some of which is mentioned below. 

□ banned.h header file lists and removes all banned functions / APIs 
from code. 

□ SitelLock Active Template Library (ATL) is used to restrict the use of 
ActiveX control to list of predefined domain names limiting other Web- 
Pages to reuse ActiveX control. 

□ FxCop is used to analyze managed code assemblies for security, per- 
formance, and design issues. 

□ Code Analysis for C/C++ is yet another static analyzer which helps 
detect and mitigate code errors. 
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□ Anti-XSS Library is an encoding library designed to help developers 
protect web application against Cross Site Scripting (XSS). 

□ CAT.NET is a binary static code analyzer like FxCop, but to identify 
only security vulnerabilities like SQL Injection, LDAP Injection, Cross 
Site Scripting, XPATH Injection and Error Handling. 

Verification Phase: 

Functionalities of the applications are verified using some of the tools 
mentioned below before the release of the product. 

□ BinScope is a verification tool which analyzes binaries to ensure com- 
pliance to SDL requirements. 

□ MiniFuzz is used as a testing tool specifically for file handling. 

□ SDL Regex is a verification tool for regular expressions against Denial 
of Service (DOS) attacks. 

□ AppVerifier is a runtime application verifying tool used to find 
memory related issues. 

Benefits of SDL 

Microsoft SDL could be applied to any platform, any development meth- 
odology, and any large, medium, small software development organiza- 
tion as it is versatile enough to allow addition of other policies, thereby 
creating a unique software development process for individual organi- 
zation. 

A research executed by National Institute of Standards and Technology 
(NIST) estimates that the cost of code fixes performed after the release 
can result in 30 times the cost of fixes performed during the initial 
phases when a defined process like SDL is followed. 

To measure the extent to which Microsoft SDL reduces security issues, a 
case study of "Pre- SDL" and "Post-SDL" version of same product was 
conducted by security experts over a period of time after release 
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Summary 

It is very clear that the need for having a secure software development 
will never cease. Ad hoc process will only increase the risk of security at- 
tacks; a systemic SDL approach offers the best means to integrate secu- 
rity in the Software Development Lifecycle. Mitigating security issues at 
an early stage is less expensive compared to post production. Project 
teams should refrain from "bolting on" security features to the end de- 
velopment. 

Microsoft has emerged as a leader in security development with years of 
development and refinement. Microsoft continues to invest on tools to 
improve the SDL as part of their ongoing effort. With the Microsoft ap- 
proach, developers need not to be a security expert in order to identify 
and mitigate threats. Microsoft's global team ensures to keep SDL and 
tools up to date which has resulted in a demonstrable reduction in 
number of security issues. 
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September Cyber Attacks 



■ 



Here are the September 11' Cyber Attacks. It appears that the wave of Anony- 
mous attacks that characterized August has stopped. There were several iso- 
lated episodes but, their impact was slightly lower than the previous months. 
Probably the most important security incident for this month was the Digino- 
tar Hack, not only because the Dutch Certification Authority has been banned 
forever by the main browsers and OS's but also because the entire authenti- 
cation model based on CA's is under discussion. Moreover once again a cyber 
attack has been used as a mean of repression. 



For the first time not even the Linux Operating System (an open world) was 
immune from hackers: both the Linux Kernel and the Linux Foundation Web 
Sites were hacked during this month, two episodes that Penguin Lovers will 
remember for a long time. Easily predictable, an attack recalling 9/11 carried 
on against the Twitter Account of NBC News was also reported. 

The BEAST attack on SSL punched the Infosec Community in its gut and last 
but not least a massive defacement of 700,000 sites hosted by Inmotion. 

Kernel.org (September 1,2011): The site of Kernel.org suffered a security 
breach which caused the server to be rooted and 448 credential compro- 
mised. Although it is believed that the initial infection started on August the 
12th, it was not detected for another 12 days. 

Here is the Quick Timeline of Attacks: 

Apple, Symantec, Facebook, Microsoft, etc (September 1,2011): The Sri 

Lankan branch of Anonymous claims to have hacked into the DNS servers of 
Symantec, Apple, Facebook, Microsoft, and several other large organizations 
over the past few days, posting the news and records of its exploits on Paste- 
bin. 




Texas Police Chiefs Association (September 2,2011): As usual happens on 
Fridady, Texas Police Chiefs Association Website is hacked by Anonymous for 
Antisec Operation. Hacker defaced their website and posted 3GB of data in 
retaliation for the arrests of dozens of alleged Anonymous suspects. 
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EA Game Battlefield Heroes (September 2,2011): One of the most famous 
games over the world Battlefield Heroes developed by EA Games is hacked by 
a hacker named "Why So Serious?'' who leaks the User Login passwords on 
pastebin. 



Popular Websites: Daily Telegraph, The Register, UPS, Vodafone (September 
4,2011): Popular websites including The Register, The Daily Telegraph, UPS, 
and others fall victim to a DNS hack that has resulted in visitors being redi- 
rected to third-party webpages. The authors of the hack, a Turkish group called 
Turkguvenligi, are not new to similar actions and leave a message declaring 
this day as World Hackers' Day. 



European Union Institute For Energy and Transport (September 5,2011): One 

of the Sub domain of European Union (Institute for Energy) is hacked and De- 
faced by Inj3ct0r. Hackers deface the web page, release some internal details 
and leave a message against Violence in Lybia and Russian influence in 
Ukraine. 

United Nations Sub Domain of Swaziland (September 5,2011): United Na- 
tions Sub-Domain of Swaziland is hacked and defaced by Cocain Team Hackers. 



Diginotar (September 6,2011): The real extent of the Diginotar breach be- 
comes clear: 531 bogus certificates issued including Google, CIA, Mossad, Tor. 
Meanwhile in a pastebin message Comodo Hacker states he own four more 
CAs, among which GlobalSign which precautionally suspends issuance of cer- 
tificates. 



GlobalSign (September 9,2011): After suspending issuing certificates, Global- 
Sign finds evidence of a breach to the web server hosting the www website. 
The breached web server has always been isolated from all other infrastruc- 
ture and is used only to serve the www.globalsign.com website. 

Google (September 9,2011): As consequence of the infamous Diginotar 
Breach Google advises its users in Iran to change their Gmail passwords, and 
check that their Google accounts have not been compromised. Google also in- 
dicates that it is directly contacting users in Iran who may have been hit by a 
man-in-the-middle attack. 
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NBC News (September 9,2011): The NBC News Twitter account is ha 
starts to tweet false reports of a plane attack on ground zero. The a 
suspended and restored after few minutes. 



Samsung Card (September 9,2011): Data of up to 800,000 Samsung Card cli- 
ents may have been compromised after an employee allegedly extracted their 
personal information. The Breach was discovered on Aug. 25 and reported to 
police on Aug. 30. It is not clear what kind of information has been leaked, 
maybe the first two digits of residence numbers, the names, companies and 
mobile phone numbers were exposed. Estimated cost of the breach is 
$171,200,000. 



Linux Foundation (September 9,2011): Few weeks after the kernel.org Linux 
archive site suffered a hacker attack, the Linux Foundation has pulled its web- 
sites from the web to clean up from a security breach. A notice posted on the 
Linux Foundation said the entire infrastructure including LinuxFoundation.org, 
Linux.com, and their subdomains are down for maintenance due to a security 
breach that was discovered on September 8, 2011. 

Nigerian Government Website (September 12,2011): Nigerian Government 
Website is hacked and defaced by Brazilian Hackers that leave a message in the 
main page. 

Panda Security (September 12,2011): Another Security Company Hacked: a 
hacker going by the name of X-Nerd hacks and defaces the Pakistan Server of 
a very well known security software website: Panda Security. 

uTorrent.com (September 14,2011): The uTorrent.com Web servers has been 
compromised and consequently the standard Windows software download 
was replaced with a type of fake antivirus "scareware" program. 



Websites of several Mexican government ministries (September 16,2011): As 

part of Oplndipendencia, websites of several Mexican government ministries, 
including Defense and Public Security, are teared down in the same day of the 
symbolic beginning of Mexico's independence from Spain. 
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Official Website of The United States Navy (September 16,2011): An hacker 
crew called Sec Indi Security Team Hacker uploads a custom message on the 
server to warn a WebDav vulnerability. 





Texas Police (September 18,2011): Anonymous/Anti-sec releases a document 
containing a list of about 3300 members of the Texas Police Association 



City Of Rennes (September 19,2011): TeaMpOisoN takes responsibly to hack 
the official website of The City Of Rennes (France) via a tweet. They also pub- 
lish the reason of hack on the defacement page. 



Fox Sports Website (September 20,2011): Fox Sports website, on of the most 
visited Websites in the world (rank 590 in Alexa) gets hacked. An Hacker 
named "ShadOw" releases SQL injection Vulnerability on one of the sub 
domain of Fox Sports and exploit it to extract the database. Leaked database 
info posted on pastebin. Vulnerable link is also posted together admin pass- 
word hashes. 



Core Security Technologies (September 22,2011): Another security Firm 
target of hacking: Core Security Technologies is hacked by an hacker called 
SncOpe, who defaces some websites belonging to the firm. 

Seven Major Syrian Cities and Government Web Sites (September 25,2011): 

The Anonymous unleash a chain of defacement actions against the Syrian Gov- 
ernment, hacking and defacing the official sites of seven major Syrian cities, 
which stayed up in their defaced version for more than 16 hours. 

Inmotion Hosting Server (September 26,2011): 700,000 websites hosted on 
InMotion Hosting network are hacked by TiGER-M@TE. The hackers copied 
over the index.php in many directories (publicjitml, wp-admin), deleted 
images directory and added index.php files where not needed. 

USA Today Twitter Account (September 26,2011): The USA Today Twitter ac- 
count is hacked and starts to tweet false messages mentioning the other ac- 
counts hacked by the authors of the action: the Script Kiddies (already in the 
spotlight for hacking the FoxNews Twitter Account at the Eve of 9/11 anniver- 
sary). 
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MySQL.com (September 26,2011): MySQL.com website is struck by cyber- 
criminals, who hacked their way in to serve up malicious code to visiting com- 
puters with a Java exploit that downloaded and executed malicious code on 
visiting Windows computers. 

Activist activity has diminished in September unless you consider the numer- 
ous assaults on police/law enforcement agencies from the United States to 
Austria. Is it possible that exposure of Police/law enforcement misconduct 
around the world could actually curb harassment of activist/demonstrators 
and deliver a level of vulnerability/humanity to those that are swore to "Pro- 
tect and Serve' 7 their citizens? Could it be that that Police Officers involved in 
Internal Affairs investigations and those proceedings might be a lot more cir- 
cumspect in the execution of their duties if they know they are vulnerable to 
exposure? A recent example; the hacker collective Anonymous identified 
NYPD Deputy Inspector Anthony Bologna as the man seen pepper-spraying 
two women unprovoked at the Occupy Wall Street protest. It is difficult not to 
view this incident as a prime example of the police protecting the powers that 
be and working against anyone willing to take a stand against oppression. No 
country should tolerate a corporatist police state. 




The Dignator Hack was another battle in the Standards Wars. The status quo's 
desire to repress innovation and protect its de facto monopoly over 
systems/network technology is to be expected. Though the political ramifica- 
tions are benign and obscured by the potential for huge monetary losses, it is 
a ruse to maximize control of a few over world-wide internet services. True, 
combined with DNS attacks, pointing users to counterfeit sites is not a trivial 
matter. However, it should be known weeks earlier, J. P. Morgan Chase's dona- 
tion of $4.6M to the NYPD was not an act of charitable giving to the needy, but 
a rather heavy handed payment for protection against the rabble. 

There are no innocent acts of kindness by corporate denizens. Focusing efforts 
on "The Nets" established institutions, (Multi-national banks, Goggle, Equifax, 
etc) that resells it users data to law enforcement, government, military indus- 
trial complex or institutions otherwise violating the public trust should be the 
first order of business. 

"'Power concedes nothing without a demand. It never did and it never witf." 

Frederick Douglass 
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